Currently, anti-virus software companies are faced with the fact that in recent years the growth of the number of security threats exceeds all conceivable bounds. Security threats include a variety of malicious software such as trojans, worms, viruses and other unwanted software, as well as links that lead to web pages with malware and other unwanted software, vulnerabilities in software licensing, etc. The category of unwanted software can also include programs intended to commit financial crimes (“crimeware”), tracking of user actions (“spyware”), blocking data from or performance of a victim's computer (“ransomware”).
The number of new, unique, threats is growing exponentially. At the same time, the capabilities of anti-virus companies—both hardware resources and manpower (expert analysts)—are limited by comparison, such that increasing them at the same rate at which the number of threats increases is impossible. One of the reasons for the growth of malicious software is the massive development of the communications infrastructure, particularly the Internet, and the corresponding rapid growth of the number of users. This in turn brings the growth of various services that are offered online: Internet banking, virtual money (such as WebMoney), messaging, blogs, software-as-a-service, and the like. The present generation of so-called computer criminals has evolved from previous generations of vandals and those seeking to make political statements through their activities, to more sophisticated financial criminals who have learned to develop malicious software and organize network attacks to steal funds through theft extortion, or fraud. In recent years, their activity has affected not only the banking sector (e.g., Trojan bankers), but also switched to theft of accounts for popular online games, as well as extortion by programs such as Trojan-Ransom. Their success and growth are attributed to a number of factors: inadequate protection of many online services, the inadequacy or complete absence of laws in some countries relating to offenses occurring on the Internet, and sometimes simple ignorance regarding computer security by computers users.
In computer security applications, the use of conventional threat detection methods such as signature and heuristic analysis, cannot simply scale with the rate of growth of the threats. The constantly increasing number of malicious programs makes development and dissemination of new antiviral records for detecting new malware very difficult. Likewise conventional monitoring of the Internet for newly-created sites which spread malicious software and infect computers cannot scale with the rate of creation of these malicious sites.
All these problems lead to the fact that anti-virus applications can miss malicious software (such as when the malware databases are incomplete or out-of-date), false positives and false negatives (i.e., a trusted application can be incorrectly detected as malware), etc. On the other side of the balance, anti-virus applications that are designed to deal with the huge volume of potential threats tend to put unreasonable burdens on the computing resources of computer systems, which tends to stifle the user experience.
Along with the growth of malicious software, the world of legitimate software is also growing. This presents added challenges of inspecting increasing numbers of programs in order to deem them trusted applications for whitelisting. This, too, results in rapidly-expanding demands on anti-virus applications which cannot be met by simple scaling.
Anti-virus companies have been harnessing the power of their user network to some extent. In a typical example, users are invited to participate in reporting, to the anti-virus company, the results of the detection of malware or analysis of unknown programs carried out by their locally-running systems. These reports are then analyzed, synthesized with similar reports, and incorporated by the anti-virus company into a malware database to be periodically updated and disseminated to all users of their service. In this basic model, the entire network of users gets the benefit of the first user's detection of a new piece of malware. This benefit, however, is delayed by the reporting, review, analysis/synthesis, and database update cycle time between the first user's detection of a piece of malware and the protection against that malware that is eventually disseminated.
A more effective solution is needed to counter the rate of expansion of security threats.